<!--
  This file is a part of the open-eBackup project.
  This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0.
  If a copy of the MPL was not distributed with this file, You can obtain one at
  http://mozilla.org/MPL/2.0/.
  
  Copyright (c) [2024] Huawei Technologies Co.,Ltd.
  
  THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
  EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
  MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
  -->


<!DOCTYPE html
  PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="DC.Type" content="topic">
<meta name="DC.Title" content="Creating an Intelligent Detection Policy">
<meta name="product" content="">
<meta name="DC.Relation" scheme="URI" content="en-us_topic_0000001829819561.html">
<meta name="prodname" content="">
<meta name="version" content="">
<meta name="brand" content="00-OceanCyber 300 1.1.0 Online Help">
<meta name="DC.Publisher" content="20241203">
<meta name="DC.Format" content="XHTML">
<meta name="DC.Identifier" content="EN-US_TOPIC_0000001829819617">
<meta name="DC.Language" content="en-us">
<link rel="stylesheet" type="text/css" href="public_sys-resources/commonltr.css">
<title>Creating an Intelligent Detection Policy</title>
</head>
<body style="clear:both; padding-left:10px; padding-top:5px; padding-right:5px; padding-bottom:5px"><a name="EN-US_TOPIC_0000001829819617"></a><a name="EN-US_TOPIC_0000001829819617"></a>

<h1 class="topictitle1">Creating an Intelligent Detection Policy</h1>
<div id="body0000001482413418"><p id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p1232219182511">This section describes how to create an intelligent detection policy to create a ransomware detection snapshot for a file system.</p>
<div class="section" id="EN-US_TOPIC_0000001829819617__section19341049194115"><h4 class="sectiontitle">Precautions</h4><ul id="EN-US_TOPIC_0000001829819617__ul328171214429"><li id="EN-US_TOPIC_0000001829819617__li16281212164214">The <span id="EN-US_TOPIC_0000001829819617__text1313824101312">OceanCyber 300 Data Security Appliance</span> is a server deployed in single-node mode. To ensure that services can be quickly restored if the server is faulty, users need to set management data backup policies and ensure that a management data restoration system is available.</li><li id="EN-US_TOPIC_0000001829819617__li028110121426">Ransomware detection is not performed for file systems created by the <span id="EN-US_TOPIC_0000001829819617__text19250121813519">OceanCyber 300 Data Security Appliance</span> itself.</li><li id="EN-US_TOPIC_0000001829819617__li4281151219423">Ransomware detection is not performed for the CLONE file system.</li><li id="EN-US_TOPIC_0000001829819617__li428115129421">If <strong id="EN-US_TOPIC_0000001829819617__b73981957183010">Uninfected Snapshot Lock</strong> is enabled for an intelligent detection policy, the confirmed uninfected snapshots are converted to secure snapshots and cannot be manually deleted within the retention period.</li><li id="EN-US_TOPIC_0000001829819617__li1728111124420">The <span id="EN-US_TOPIC_0000001829819617__text3965202105118">OceanCyber 300 Data Security Appliance</span> uses the snapshot difference RESTful API of the storage device to obtain the changed file information of file systems. The OceanCyber Data Security Appliance automatically enables the snapshot comparison function for detected file systems.</li></ul>
</div>
<div class="section" id="EN-US_TOPIC_0000001829819617__section16497142464611"><h4 class="sectiontitle">Procedure</h4><ol id="EN-US_TOPIC_0000001829819617__ol7499132416464"><li id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_li149381918143112"><span>Choose <span class="uicontrol" id="EN-US_TOPIC_0000001829819617__uicontrol11163163816356"><b>Data Security &gt; Intelligent Detection</b></span>.</span></li><li id="EN-US_TOPIC_0000001829819617__li59781743184615"><span>Click <span id="EN-US_TOPIC_0000001829819617__text1822116053515"><strong>Intelligent Detection Policies</strong></span>.</span></li><li id="EN-US_TOPIC_0000001829819617__li1414511249483"><span>Click <span id="EN-US_TOPIC_0000001829819617__text16719141763513"><strong>Create</strong></span>.</span></li><li id="EN-US_TOPIC_0000001829819617__li6387118134912"><span>Customize an intelligent detection policy name.</span></li><li id="EN-US_TOPIC_0000001829819617__li141200409527"><span>Set <strong id="EN-US_TOPIC_0000001829819617__b1232919385280">Detection Method</strong>.</span><p><ul id="EN-US_TOPIC_0000001829819617__ul575405120205"><li id="EN-US_TOPIC_0000001829819617__li3754251182017">Select <span class="uicontrol" id="EN-US_TOPIC_0000001829819617__uicontrol12453175119259"><b><span id="EN-US_TOPIC_0000001829819617__text86753357571"><strong>Generate only ransomware detection snapshots</strong></span></b></span>. If this detection method is selected, only ransomware detection snapshots are generated and the snapshots are not detected immediately. You can select the snapshot to be detected for manual detection. To perform manual detection, choose <span class="menucascade" id="EN-US_TOPIC_0000001829819617__menucascade84251721172715"><b><span class="uicontrol" id="EN-US_TOPIC_0000001829819617__uicontrol13616192202712"><span id="EN-US_TOPIC_0000001829819617__text05147310236"><strong>Data Security</strong></span> &gt; <span id="EN-US_TOPIC_0000001829819617__text481381812239"><strong>Snapshot Data</strong></span></span></b></span>, locate the row that contains the target snapshot, and choose <span class="menucascade" id="EN-US_TOPIC_0000001829819617__menucascade1349014217285"><b><span class="uicontrol" id="EN-US_TOPIC_0000001829819617__uicontrol1948918423288"><span id="EN-US_TOPIC_0000001829819617__text91558518502"><strong>More</strong></span></span></b> &gt; <b><span class="uicontrol" id="EN-US_TOPIC_0000001829819617__uicontrol76601943102811"><span id="EN-US_TOPIC_0000001829819617__text127035101508"><strong>Detect Now</strong></span></span></b></span>.</li><li id="EN-US_TOPIC_0000001829819617__li2150619102513">Select <span class="uicontrol" id="EN-US_TOPIC_0000001829819617__uicontrol17618962912"><b><span id="EN-US_TOPIC_0000001829819617__text233919115584"><strong>Start detection upon ransomware detection snapshot generation</strong></span></b></span>.<ul id="EN-US_TOPIC_0000001829819617__ul11808153312296"><li id="EN-US_TOPIC_0000001829819617__li10485132512295">Set <span class="uicontrol" id="EN-US_TOPIC_0000001829819617__uicontrol19785484395"><b><span id="EN-US_TOPIC_0000001829819617__text109221073011"><strong>Backup Copy In-Depth Detection</strong></span></b></span>. This parameter applies only to the file system of the OceanProtect Backup Storage device. After this function is enabled, the OceanCyber 300 Data Security Appliance performs in-depth parsing and detection on backup copy files in the backup storage to evaluate whether the original files (files on the backup production storage device) in the backup copy files are infected. If this function is enabled, the overall detection time may be extended.<div class="note" id="EN-US_TOPIC_0000001829819617__note0587455585"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="EN-US_TOPIC_0000001829819617__ul16617115054712"><li id="EN-US_TOPIC_0000001829819617__li13617185074717">After <span class="uicontrol" id="EN-US_TOPIC_0000001829819617__uicontrol1097720385913"><b><span id="EN-US_TOPIC_0000001829819617__text797712382095"><strong>Backup Copy In-Depth Detection</strong></span></b></span> is enabled, you can adjust the sensitivity of the backup copy detection algorithm. If <strong id="EN-US_TOPIC_0000001829819617__b22514378240">Sensitivity</strong> is set to <strong id="EN-US_TOPIC_0000001829819617__b7769451241">High</strong>, an alarm may be triggered when a small amount of data is encrypted or similar operations are performed, increasing the risk of misreports. <strong id="EN-US_TOPIC_0000001829819617__b167562312295">Medium</strong> sensitivity is recommended for service scenarios without special requirements.</li><li id="EN-US_TOPIC_0000001829819617__li4617155010477">The sensitivity adjustment of the backup copy detection algorithm takes effect only for VM, database, or Veeam-based host file backup copies.</li></ul>
</div></div>
</li></ul>
<ul id="EN-US_TOPIC_0000001829819617__ul566151318912"><li id="EN-US_TOPIC_0000001829819617__li206615139915">Set <span class="uicontrol" id="EN-US_TOPIC_0000001829819617__uicontrol581611135613"><b><span id="EN-US_TOPIC_0000001829819617__text19818112563"><strong>Uninfected Snapshot Lock</strong></span></b></span>. The <span id="EN-US_TOPIC_0000001829819617__text14550989380"><strong>Uninfected Snapshot Lock</strong></span> parameter means that snapshots for which no ransomware file is detected will be locked. After this function is enabled, uninfected snapshots will change to secure snapshots, and the snapshot retention period will be prolonged. Modification or deletion is not allowed before the snapshots expire.</li></ul>
</li></ul>
</p></li><li id="EN-US_TOPIC_0000001829819617__li278418594584"><span>Configure parameters under <strong id="EN-US_TOPIC_0000001829819617__b16931172843215">Ransomware detection snapshot</strong>. <a href="#EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_table1591417351806">Table 1</a> describes the related scenarios.</span><p><div class="p" id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p1191213351402">Set the ransomware detection snapshot generation interval, ransomware snapshot generation window, and snapshot retention period based on service requirements. The suggestions are as follows:<ul id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_ul169120351012"><li id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_li11556248153216">The intelligent ransomware detection rate is about 1000 changed files per second. Evaluate the ransomware snapshot generation interval based on the file system file scale. It is recommended that the ransomware snapshot generation interval be greater than the time required for intelligent ransomware detection to reduce the number of stacked detection jobs.</li><li id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_li139122353016">It is recommended that the time when the ransomware snapshot is generated for the first time be the same as the start time of the time window.</li><li id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_li129129359010">The snapshot retention period must be longer than an interval between two times of ransomware detection snapshot generation.</li></ul>

<div class="tablenoborder"><a name="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_table1591417351806"></a><a name="en-us_topic_0000001340823161_en-us_topic_0000001283134344_table1591417351806"></a><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_table1591417351806" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Configuring an intelligent ransomware detection snapshot policy</caption><colgroup><col style="width:10.83%"><col style="width:13.889999999999999%"><col style="width:75.28%"></colgroup><thead align="left"><tr id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_row391217351202"><th align="left" class="cellrowborder" colspan="2" valign="top" id="mcps1.3.3.2.6.2.1.2.2.4.1.1"><p id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p591273518016">Scenario</p>
</th>
<th align="left" class="cellrowborder" valign="top" id="mcps1.3.3.2.6.2.1.2.2.4.1.2"><p id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p2912103510019">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_row19132351607"><td class="cellrowborder" colspan="2" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.1 "><p id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p1791310351307"><span id="EN-US_TOPIC_0000001829819617__text258102520408"><strong>By Year</strong></span></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.2 "><p id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p1138183754211">Set a day to execute the ransomware snapshot generation job each year. Set the snapshot retention period to <em id="EN-US_TOPIC_0000001829819617__i141661847115617">xx</em> days, weeks, months, or years, or set it to <strong id="EN-US_TOPIC_0000001829819617__b92301853185819">Permanently</strong>. Set a time period during which ransomware snapshot generation is allowed.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_row10172155863813"><td class="cellrowborder" colspan="2" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.1 "><p id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p1236218263914"><span id="EN-US_TOPIC_0000001829819617__text13709143517403"><strong>By Month</strong></span></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.2 "><p id="EN-US_TOPIC_0000001829819617__p429217582589">Set the ransomware snapshot generation job to be executed once every month by specifying a day or on the last day of each month. Set the snapshot retention period to <em id="EN-US_TOPIC_0000001829819617__i832693465912">xx</em> days, weeks, months, or years, or set it to <strong id="EN-US_TOPIC_0000001829819617__b14538139012">Permanently</strong>. Set a time period during which ransomware snapshot generation is allowed.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001829819617__row782441875816"><td class="cellrowborder" colspan="2" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.1 "><p id="EN-US_TOPIC_0000001829819617__p18286183516581"><span id="EN-US_TOPIC_0000001829819617__text254211474403"><strong>By Week</strong></span></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.2 "><p id="EN-US_TOPIC_0000001829819617__p08251418135812">Set the ransomware snapshot generation job to be executed once every Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, or Sunday (you can select multiple options). Set the snapshot retention period to <em id="EN-US_TOPIC_0000001829819617__i13879439702">xx</em> days, weeks, months, or years, or set it to <strong id="EN-US_TOPIC_0000001829819617__b1715616581104">Permanently</strong>. Set a time period during which ransomware snapshot generation is allowed.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001829819617__row235723215587"><td class="cellrowborder" colspan="2" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.1 "><p id="EN-US_TOPIC_0000001829819617__p498193665815"><span id="EN-US_TOPIC_0000001829819617__text35589589400"><strong>By day</strong></span></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.2 "><p id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p176602843519">Set an interval to execute the ransomware snapshot generation job once every <em id="EN-US_TOPIC_0000001829819617__i299222444">xx</em> days since the start date. Set the snapshot retention period to <em id="EN-US_TOPIC_0000001829819617__i185511111129">xx</em> days, weeks, months, or years, or set it to <strong id="EN-US_TOPIC_0000001829819617__b12555111723">Permanently</strong>. Set a time period during which ransomware snapshot generation is allowed.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001829819617__row1395102635814"><td class="cellrowborder" colspan="2" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.1 "><p id="EN-US_TOPIC_0000001829819617__p678203811581"><span id="EN-US_TOPIC_0000001829819617__text26067145413"><strong>By Hour</strong></span></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.2 "><p id="EN-US_TOPIC_0000001829819617__p295117269582">Set an interval to execute the ransomware snapshot generation job once every <em id="EN-US_TOPIC_0000001829819617__i1066584413419">xx</em> hours since the start date. Set the snapshot retention period to <em id="EN-US_TOPIC_0000001829819617__i06661444643">xx</em> days, weeks, months, or years, or set it to <strong id="EN-US_TOPIC_0000001829819617__b17666184415419">Permanently</strong>. Set a time period during which ransomware snapshot generation is allowed.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<p id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p19806916101417">Once the snapshot retention period ends, the system automatically deletes the expired snapshot.</p>
<div class="note" id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_note25251113121414"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_ul20525121320142"><li id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_li05251713151410">If the end time of a ransomware snapshot generation job is earlier than or equal to the start time, the actual end time is of the next day.</li><li id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_li1552591313146">If the ransomware snapshot generation job is not complete within the specified time window, the system does not stop the job but generates an alarm.</li></ul>
</div></div>
</p></li><li id="EN-US_TOPIC_0000001829819617__li713074195710"><span>Set advanced parameters for configuring the intelligent detection policy. <a href="#EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_table79151351804">Table 2</a> lists the related parameters.</span><p>
<div class="tablenoborder"><a name="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_table79151351804"></a><a name="en-us_topic_0000001340823161_en-us_topic_0000001283134344_table79151351804"></a><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_table79151351804" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Advanced parameters for configuring an intelligent detection policy</caption><colgroup><col style="width:30.06%"><col style="width:69.94%"></colgroup><thead align="left"><tr id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_row791411353020"><th align="left" class="cellrowborder" valign="top" width="30.06%" id="mcps1.3.3.2.7.2.1.2.3.1.1"><p id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p1291453517013">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="69.94%" id="mcps1.3.3.2.7.2.1.2.3.1.2"><p id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p491413351904">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_row291417351304"><td class="cellrowborder" valign="top" width="30.06%" headers="mcps1.3.3.2.7.2.1.2.3.1.1 "><p id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p189144351802"><span id="EN-US_TOPIC_0000001829819617__text15387354417"><strong>Job Failure Alarm</strong></span></p>
</td>
<td class="cellrowborder" valign="top" width="69.94%" headers="mcps1.3.3.2.7.2.1.2.3.1.2 "><p id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p11872124113514">This option is enabled by default. An alarm is sent if the job fails and will be automatically cleared after successful job execution.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_row691510358017"><td class="cellrowborder" valign="top" width="30.06%" headers="mcps1.3.3.2.7.2.1.2.3.1.1 "><p id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p8915535609"><span id="EN-US_TOPIC_0000001829819617__text1954265712418"><strong>Automatic Retry</strong></span></p>
</td>
<td class="cellrowborder" valign="top" width="69.94%" headers="mcps1.3.3.2.7.2.1.2.3.1.2 "><p id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p59151935109">This option is enabled by default. If a ransomware detection snapshot generation job fails, the system automatically retries the job.</p>
<div class="p" id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p159158351007">The number of retries ranges from 1 to 5, and the wait time ranges from 1 to 30 minutes. For example, if the number of retries is set to 3 and the wait time is set to 5 minutes, the system retries for three times at an interval of 5 minutes.<div class="note" id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_note1191518351206"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="EN-US_TOPIC_0000001829819617__en-us_topic_0000001340823161_en-us_topic_0000001283134344_p49151035302">During automatic retry, the system creates a ransomware detection snapshot generation job. If the job is not in the specified time window, the job will not be executed and the generation fails.</p>
</div></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="EN-US_TOPIC_0000001829819617__li12971122751319"><span>Click <span id="EN-US_TOPIC_0000001829819617__text195347135428"><strong>OK</strong></span>. The intelligent detection policy is created.</span></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000001829819561.html">Configuring Intelligent Detection (Post-event Interception)</a></div>
</div>
</div>

<div class="hrcopyright"><hr size="2"></div><div class="hwcopyright">Copyright &copy; Huawei Technologies Co., Ltd.</div></body>
</html>